Acunetix is a web vulnerability scanner built for teams that want automated DAST without a steep learning curve. It detects over 7,000 vulnerability types with 99.98% accuracy through proof-based scanning.
Part of the Invicti family, Acunetix targets small and mid-sized organizations while Invicti handles enterprise accounts. Over 2,300 companies use it, including Cisco, NASA, and American Express.
Key Features
Feature
Details
Vulnerability checks
7,000+ types including OWASP Top 10, out-of-band
Accuracy
99.98% with proof-based scanning
Scanning engine
C++ based, 2-4 hour average scan time
IAST support
AcuSensor agent for .NET, Java, PHP, Node.js
Risk scoring
Predictive AI model using 220+ parameters, 83% minimum confidence
API scanning
REST, SOAP, GraphQL
SPA support
Full JavaScript rendering for React, Angular, Vue
Concurrent scans
Unlimited parallel scans
Update cadence
Monthly releases with auto-update
Proof-Based Scanning
Acunetix confirms vulnerabilities by safely exploiting them, producing proof-of-exploit for each finding. Less time triaging, more time fixing.
AcuSensor IAST
Deploy the AcuSensor agent inside your application server to combine DAST with IAST. The agent identifies the exact line of code causing a vulnerability and catches issues invisible to external scanning alone.
Business Logic Recorder
Record multi-step workflows like checkout flows, registration sequences, or admin operations. The scanner replays these recorded paths during scans, covering areas that automated crawlers miss.
Predictive Risk Scoring
Acunetix uses a machine learning model that analyzes over 220 parameters to estimate vulnerability risk before scanning begins. The model requires a minimum 83% confidence threshold before assigning a risk score.
Your most exposed targets get scanned first.
Invicti Family
Acunetix and Invicti share the same proof-based scanning engine. Acunetix is the simpler, more affordable option aimed at SMBs. If you outgrow it, migration to Invicti’s enterprise platform is straightforward.
Reporting
Acunetix ships with multiple report templates covering both technical and compliance needs:
Standard reports: Affected Items, Developer, Executive Summary, Quick
Compliance reports: CWE, HIPAA, ISO 27001, NIST SP 800-53, OWASP Top 10, PCI DSS, Sarbanes-Oxley, STIG DISA, WASC
Export formats: CSV, JSON, XML
Integrations
Issue Trackers
GitHub
GitLab
Jira
Azure DevOps
CI/CD
Jenkins
GitLab CI
Azure DevOps
WAF
F5 BIG-IP
Imperva
FortiWeb
AWS WAF
There is also a REST API for custom integrations.
Getting Started
1
Add targets — Enter your web application URLs. Acunetix supports FQDNs, IP ranges, and API endpoints.
2
Configure authentication — Use the Business Logic Recorder to capture login flows and multi-step processes the scanner should follow.
3
Run a scan — Pick a scan profile (Full, High Risk, XSS, SQL Injection, or custom) and launch. Average scan time is 2-4 hours.
4
Review findings — Each vulnerability includes proof-of-exploit, affected URL, severity rating, and remediation guidance. Push results to Jira or your issue tracker.
Licensing
Acunetix uses target-based pricing per FQDN. Minimum purchase is 5 targets on a 2-year subscription with annual payment. No free tier or community edition exists.
Best For
Teams transitioning from occasional pentests to continuous automated scanning. Acunetix’s guided workflow and proof-based results mean you spend less time configuring the tool and triaging false positives. For enterprise-scale needs, look at Invicti.
Limitations
Acunetix does not offer a free tier. The 5-target minimum and 2-year commitment may not suit organizations that want to test a single application first. Authenticated scanning of highly complex SPAs can still require manual macro recording. For open-source alternatives, consider ZAP or Nuclei.
The scanner is a DAST tool focused on web applications and APIs. It does not replace SAST for source code analysis or manual penetration testing for business logic flaws.
Note: Part of Invicti family. Acunetix targets SMBs while Invicti serves enterprise.
Frequently Asked Questions
What does Acunetix scan for?
Acunetix crawls and scans web applications, APIs, and single-page applications for over 7,000 vulnerability types including SQL injection, XSS, CSRF, and misconfigurations. It works against running applications without access to source code.
Is Acunetix free?
No. Acunetix is commercial with no free tier. Licensing is target-based (per FQDN) with a minimum of 5 targets on a 2-year subscription. Contact sales for pricing.
How does Acunetix compare to Burp Suite Enterprise?
Acunetix is easier to set up with a guided scanning workflow aimed at teams without deep security expertise. Burp Suite Enterprise gives experienced testers more manual control and extensibility but has a steeper learning curve.
Can Acunetix run in a CI/CD pipeline?
Yes. Acunetix provides a REST API and integrations with Jenkins, GitLab CI, and Azure DevOps. You can trigger scans per build and fail the pipeline on high-severity findings.
What is AcuSensor?
AcuSensor is an IAST agent you deploy inside your application server. It gives Acunetix visibility into server-side code execution during scans, helping identify the exact line of code responsible for a vulnerability and reducing false positives.
GitHub
GitLab
Jira
Azure DevOps
Jenkins
F5 BIG-IP
Imperva
FortiWeb
AWS WAF
Comments
Powered by Giscus — comments are stored in GitHub Discussions.